First and foremost – there is no need for unnecessary panic! If diving into the settings to download and install an external global theme isn’t your first move after getting the impressive Plasma 6 desktop environment set up, you’re in the clear. Secondly, it’s important to note that the KDE team is on top of the issue. Here’s the scoop.
А Reddit user alerted (for reference here and here) about a significant issue with Plasma 6. Installing a specific external global theme triggers the execution of “rm -rf /” in the background. This command, known for its simplicity yet potential for extensive damage, wipes all data on the drive, including any additional mounted drives.
If you haven’t set up a dependable backup solution, you might justifiably consider this one of the darkest days you’ve experienced. In other words, there’s a risk that all your valuable content, cherished digital memories, and work-related data could be lost forever. Okay, how is that possible?
Firstly, let’s reiterate that we’re talking about an external global theme – a comprehensive package that includes things like window decorations, plugins, icons, colors, etc. According to the information available, the issue does not stem from malicious code intentionally inserted into the theme.
Instead, it arises from a flaw between the combination of the Plasma 6 codebase concerning the desktop environment’s handling of global theme implementation and the specific theme itself.
Still, the Plasma theme at the center of these discussions, “Grey Layout,” has nearly four thousand downloads and was previously used in Plasma 5 without any issues. Anyway, the theme has been removed from the KDE Store.
This leads to one primary concern – the efficiency with which the KDE team curates and audits the quality of external resources complementing and expanding its features. It might be time to reconsider how third-party themes are offered for download on Plasma.
David Edmundson, KDE Software Engineer & Project Lead, has just released a statement on this matter, which you can view here.
A global theme on the kde third party store had an issue where it executed a script that removed user’s data. It wasn’t intended as malicious, but a mistake in some shell parsing. It was promptly identified and removed, but not before doing some damage to that user.
This has started a lot of discourse around the concept of the store, secuirty and upstream KDE.
The explanation is straightforward if you need clarification about how a theme could run system commands and erase your disk. When discussing Plasma 6 global themes, we’re not referring to the typical theme composed of a handful of CSS files, images, and some JavaScript that most would consider.
Instead, imagine the Plasma 6 theme as an application in its own right. It encompasses plugins with access to various system resources necessary for their functionality, including the capacity to execute system commands.
Essentially, anyone with the requisite tech skills can design a theme and share it on the KDE Store, triggering user issues whether by design or accident. It’s evident that significant improvements are necessary in how the KDE Store manages the quality and verification of third-party software, a move Flathub has already made.
Finally, we highly recommend that you hold off installing any global themes on your Plasma 6 desktop environment. There is no way to know at the moment whether another one will appear and cause a problem. Unfortunately, the only way to know is after it has already happened.
“there is no need for unnecessary panic!”
OMG! WTF!
Oh wait… I’m not even using Plasma. Phew! 🙂
>“rm -rf /”
I can actually see how this could unintentionally happen if you’re concatenating path fragments for an operation, which happen to be all to be all empty. It should be easy in principle to fix.
Without themes is so boring (I hate Breeze) by default, almost as windows (boring), everything should be changed to make it look more or less good, and it isn’t a good task either as it isn’t simple to find good looking and working theme.
So themes must properly work or it will lost its significant benefit – possibility to make it more pretty
And I briefly checked and it looks almost the same so it is still my “first move after getting” KDE – change everything, it doesn’t look good enough by default (but I still prefer it over GNOME)…
98% of global themes I find wanting in they have the wrong shape and color of everything. There need to be a gui add on pgm to edit and change the svg/svgz files and colors. The files can be changed only by using hacking way’s. For example to change font color you need to change a HEX color to get what you may need because of vision needs.